DK2879008T3 - Procedure for handling a security-critical command in a computer network - Google Patents

Procedure for handling a security-critical command in a computer network Download PDF

Info

Publication number
DK2879008T3
DK2879008T3 DK13194789.7T DK13194789T DK2879008T3 DK 2879008 T3 DK2879008 T3 DK 2879008T3 DK 13194789 T DK13194789 T DK 13194789T DK 2879008 T3 DK2879008 T3 DK 2879008T3
Authority
DK
Denmark
Prior art keywords
code
operator terminal
secure
safe
tan
Prior art date
Application number
DK13194789.7T
Other languages
Danish (da)
Inventor
Frank Müller
Original Assignee
Thales Man & Services Deutschland Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales Man & Services Deutschland Gmbh filed Critical Thales Man & Services Deutschland Gmbh
Application granted granted Critical
Publication of DK2879008T3 publication Critical patent/DK2879008T3/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L19/00Arrangements for interlocking between points and signals by means of a single interlocking device, e.g. central control
    • B61L19/06Interlocking devices having electrical operation
    • B61L2019/065Interlocking devices having electrical operation with electronic means
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L21/00Station blocking between signal boxes in one yard
    • B61L21/04Electrical locking and release of the route; Electrical repeat locks

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • User Interface Of Digital Computer (AREA)

Description

DESCRIPTION
Background of the invention [0001] The invention relates to a method for handling a safety critical command in a computer network.
[0002] Such a method is known from DE 10 2006 029 851 A1.
[0003] A safety critical command according to the invention is a command concerning execution of a safety critical process on an element of a safety critical system (e.g. to emergency switch the points of a railway track), where "safety" is related to failure revelation, i.e. the higher the failure revelation the higher the safety category. The expression "safe" is used in the context of exclusion of dangerous outputs of the system, whereas the expression "secured" means that undesired impact of the environment to the system is prevented.
[0004] DE 44 32 419 A1 discloses a method for handling safety critical commands of a safe computer EKIR of an interlocking to a safe area computer. A random number is created by the EKIR and transmitted to the area computer. In order to authorize a command the user has to input the random number which is sent to EKIR, where the input and the original random number is compared.
[0005] DE 10 2010 015 285 A1 discloses a method for confirming a safe state of a safety critical system (railway signaling system), wherein an activation codes is output to the user that cannot be machine-read. The activation code has to be input manually by the user.
[0006] The known solutions for handling safety critical commands are usually based on critical command procedure, wherein the operator has to confirm a transaction to be carried out by activating at least one confirmation button as disclosed in DE 10 2006 029 851 A1, or TAN-procedures as known from http://en.wikipedia.org/wiki/Transaction authentication_number. In order to authorize the execution of a safety critical command a TAN has to be manually entered by the operator, which however is time consuming and complicated. Such TAN procedures are also sensitive in case of operator faults.
[0007] Within a closed environment the implementation of such a TAN procedure must guarantee the independence of two processing channels within the non-safe operator terminal: a first channel for receiving the TAN from the safe system and display it to the operator, a second channel for receiving the entered TAN from the operator and transferring the entered TAN to the safe system. Within an open environment it must be additionally guaranteed not to compromise the transmissions within the first and the second channel. Therefore known systems use encrypted transmission. Also for the critical command procedure the independence of the processing of the replicated input within the operator terminal and the independence of the transmission of replicated input to the safe computer must be guaranteed. This however requires dedicated properties to both end points of communication, in particular both end points need to be validated and assessed.
Object of the invention [0008] It is therefore an object of the invention to provide a simplified method for handling a safety critical command in a computer network with reduced requirements concerning hardware and software.
Description of the invention [0009] This object is achieved by a method according to claim 1 and a use of a computer network according to claim 10 that comprises means adapted to implement the inventive method.
[0010] The inventive method can be carried out in a computer network with a safe computer and a non-safe operator terminal, the command concerning a transaction on an element. According to the invention the method comprises: • transfer of the command from the non-safe operator terminal to the safe computer; • generation of a TAN, the TAN identifying the command; • generation of a first executable code and a second executable code by the safe computer, the second code containing the TAN, the first code being capable of displaying a query on a display device of the non-safe operator terminal and the second code being capable of enabling execution of the transaction; • encryption of the codes by the safe computer; • transmission of the encrypted codes to the non-safe operator terminal; • decryption of the codes by the non-safe operator terminal; • execution of the first code on the non-safe operator terminal, whereby a query is displayed to the operator with an invitation to confirm the query, i.e. to confirm whether the critical command shall be executed or aborted; • in case of a confirmation by the operator, the second code is executed and the TAN is transferred to the safe computer.
[0011] A "non-safe" operator terminal is an operator terminal which does not comply with SIL 2, in particular which does not comply with any safety integrity level. The only functionalities which are mandatory for the non-safe operator terminal are the following: Be able to send and receive messages from/to the safe computer; be able to identify messages that contain encrypted codes; be able to decrypt such messages, and offer a platform to execute the decrypted code. The non-safe operator terminal does not need to have any functionality, which is related to the correct processing of the confirmation procedure. A "safe computer" is a computer that fulfills SIL 2 or better, preferably SIL 4.
[0012] The methodology of the inventive method is based on transmission of encrypted executable codes, which allows the usage of a non-safe operator terminal. The inventive method allows safe transfer of TANs from a safe system to a non-safe operator terminal and backwards while using the same transmission channel. Only one end point (including the code to be transmitted and to be executed by the non-safe operator terminal) of the communication needs to have dedicated properties that need validation and assessment. Dedicated properties refer in particular to independent processing channels, wherein the independency has to be given not only for transmission but also for processing, which means that the corresponding end point needs to comply with SIL 1 0. According to the present invention this is only required for the safe computer, but not for the operator terminal (in contrast to state of the art methods) at which the codes are executed.
[0013] According to the invention the command is entered by an operator at the non-safe operator terminal. The safety critical command is then transferred to a safe system for execution. To ensure that the received command is not compromised by the non-safe device or a non-safe and non-secured transmission, the safe system generates executable codes which are encrypted and transferred to the non-safe operator terminal, thereby contributing to a secured transmission.
[0014] The TAN is preferably generated by the safe computer and identifies the transaction to be carried out (e.g. switch point A to position X).
[0015] Preferably the TAN comprises a one-time password (OTP). The encryption of the codes, in particular of the second code which comprises the TAN, can be done by a one-time pad-encryption. Due to the encryption of the codes by the non-safe operator terminal an instantaneous correct functioning of the non-safe operator terminal for executing the code is ensured.
[0016] The first executable code causes the non-safe operator to display a query on a display device according to encoded instructions which has been received by the safe computer. The query requests the operator's confirmation whether the critical command shall be executed or aborted and sends back a TAN-based confirmation message via the second executable code.
[0017] The decryption of the second code is preferably carried out after confirmation by the operator in order to reduce the time between decryption and transmission of the TAN, which causes the safe computer to execute the safety critical transaction.
[0018] The encryption and decryption procedure are aligned between safe computer and nonsafe operator terminal. Appropriate keys are exchanged prior to encryption. In addition, the execution environment for first code and the second code (used binary type, used external libraries) should be aligned between safe computer and non-safe operator terminal. Preferably a java byte-code is used.
[0019] The inventive method allows a replacement of the complex critical command procedure known from the state of the art, which demands a safe operator terminal. From an operator's perspective the critical command procedure is simplified, since no duplication of input is demanded. Nevertheless it is possible to realize a behavior as known from critical command procedure by time supervised click on two buttons. From a supplier's perspective the need to have a safe operator terminal will disappear, i.e. neither hardware nor software of the non-safe terminal needs to fulfill any demands on safety integrity level (SIL). No further assessment activities (validation, safety case, assessment report) are required for the operator terminal. Thus the operator terminal can be made of COTS (commercial off-the-shelf) hardware and software which safe costs.
[0020] The inventive method allows parallel/concurrent processing of critical commands. By using the inventive method, it is not necessary to provide independent channels for transmission of the codes, i.e. a single channeled non-safe operator terminal can be used. Besides by providing the encryption and the TAN the communication channels between the operator terminal and the safe computer do not require closed networks anymore.
Preferred variants [0021] By execution of the first code a preferred variant of the inventive method displays a window on the display device, the window showing a reflection of the command and at least two buttons for confirmation and abortion of the transaction respectively. The display of the query at the non-safe operator terminal can be textual or graphical. Alternatively or in addition the display and/or the confirmation can be acoustic. In case that a critical command procedure is realized by the inventive method, more than two buttons are required. The second code is then split into the corresponding number (corresponding to the number of buttons) of subcodes, the first subcode being the callback for the first button for activating the second button.
[0022] It is preferred that the window further shows information about the status of the element (e.g. "point A is in position Y") and/or of the status of the environment of the element (e.g. "related track section is occupied") on which the transaction is to be performed. The status information helps the operator to decide whether the suggested transaction is uncritical or dangerous under the given circumstances.
[0023] In an advantageous variant of the inventive method the second code contains a call back function for the first code, the call back function transferring the TAN.
[0024] In order to prevent repeated or delayed execution of the transaction the TAN is preferably equipped with a time restriction. In case the TAN is not transmitted within a predetermined time slot or before a predetermined time limit, the transaction is not executed despite of a correct TAN.
[0025] In a special variant the first code and the second code are incorporated in one program file.
[0026] Alternatively the first code and the second code are separate program files. By providing the codes as separate program files the time between execution of the first code and the second code can be chosen longer compared to both codes being part of a single program, e.g. several minutes. In this case for parallel/concurrent processing of critical commands the first code and the second code of a specified command are linked with each other in order to identify the codes corresponding to said specified command. This can be done by providing each code with an identification feature, e.g. key or a checksum or a further TAN which is used for encryption and/or assignment of the second code. E.g. the first code can be provided with a key for decryption of the second code. Alternatively the first code can be provided with a key which is compared with the second code.
[0027] Preferably the second code is decrypted immediately before executing the second code. Thus the successful encryption increases the confidence in the correct operation of the non-safe operator terminal.
[0028] In order to minimize the operator's interaction, the confirmation of the operator can be carried out by means of a one-click technique.
[0029] The inventive method can be advantageously used for transactions concerning railway transportation or other guided vehicles.
[0030] The present invention also concerns the use of a computer network system comprising a safe computer and a non-safe operator terminal for safe operation procedures of a predetermined safety integrity level in particular for railway transportation, wherein the safe computer and the non-safe operator terminal are connected to each other in order to transmit messages, wherein the non-safe operator terminal comprises a display device and is set up to identify an encrypted code, to decrypt the encrypted code and to display a query on the display device, wherein the safe computer complies with the predetermined safety category and the non-safe operator terminal does not comply with the predetermined safety category.
[0031] The inventive method is preferably used for technical systems for which IEC 61508, or standards derived from IEC 61508, or similar standards apply, where human interaction to safe services is needed.
[0032] Preferably the predetermined transmission system category is of category 1, 2 or 3 according to EN50159:2010.
[0033] The inventive method can be used for traffic management and safe operation of signaling systems, route control systems, train control systems, and interlocking systems. "Safe operation" is summarizing the process for safe critical command transmission for execution. "Safe transmission" refers to a following voting process, which enables a fault revelation within the process only with means of the components of the computer network used for the inventive method.
[0034] The base of the invention is the execution of a foreign code (code generated by the safe computer) on a non-safe operator terminal, wherein the code is prepared on a safe system just for that purpose and protected by using cryptographic methods. According to the invention it is complete up to the safe computer to control the safety mechanisms that apply for the safe operation procedure. Thus the functional independence of the safety mechanism to peer functions owed by the non-safe operator terminal is given.
[0035] Further advantages can be extracted from the description and the enclosed drawing. The features mentioned above and below can be used in accordance with the invention either individually or collectively in any combination. The embodiments mentioned are not to be understood as exhaustive enumeration but rather have exemplary character for the description of the invention.
Drawings [0036] The invention is shown in the drawings.
Fig. 1 shows the basic method steps of the inventive method.
Fig. 2 shows a detailed flow chart of a preferred variant of the inventive method, in which the steps are related to the compounds by means of which the steps are carried out.
[0037] The inventive method comprises the steps shown in Fig. 1. A safety critical command fj(ek) is transmitted from a non-safe operator terminal to a safe computer, wherein f, denotes a function (e.g. fp switch a point to X) and e^ denotes the element on which the function is to be carried out (e.g. ep point A)". The safe computer generates a first code A and a second code B, wherein the second code B includes a TAN T. The codes A, B are encrypted and transmitted to the non-safe operator terminal, where the first code A is executed, resulting in displaying a query to the operator. In dependence of the operator's input in response to the query the second code B is executed or aborted.
[0038] In contrast to the state of the art methods the code A, B are executed as "foreign codes", i.e. the codes A, B are generated at the safe computer and are subjected to the safety requirements of the safe computer but are executed at the non-safe operator terminal which is not responsible for correctness of the codes and safety integrity, which is up to the safe computer. "Safety integrity" in particular refers to the correlation of first code A and second code B, the OTP quality of the TAN T and the correctness of the codes A, B. The correct operation of the non-safe operator terminal can be verified or falsified by the correct encryption of code A and B at the non-safe operator terminal.
[0039] Fig. 2 shows a detailed sequence of the steps of a preferred variant of the inventive method, wherein the method steps are assigned to the component at which the steps are carried out. First the safety critical command fj(e|<) is entered by an operator at the non-safe operator terminal (step 1) prior to the transfer from the non-safe operator terminal to a safe computer (step 2). Before execution of the command fj(ek), it must be ensured, that the received safety critical command fj(ek) is correct and not compromised (modified). Often it must be ensured additionally that the element e^ is in the correct state s to perform function ή. The first code A generated by the safe computer (step 3) presents a window containing a reflection of the received critical command fj(ek) and two buttons to confirm respectively abort the operation. Additionally the window can also contain information about a status s of element e|< and or a status of the environment (not shown). The second code B generated by the safe computer (step 5) contains a call back function for the first code A. The call back function transfers a TAN T, which also has been generated by the safe computer (e.g. as one-time-password) being optional equipped with a time restriction (step 4). The TAN T safely identifies the critical command fj(ek) for execution. As code A and code B has been generated on the safe system, there is functional independence of the codes A, B and the data and codes A, B owned by/located on the non-safe operator terminal. Both, code A and code B then are encrypted by the safe computer (step 6) and transferred to the non-safe operator terminal (step 7).
[0040] On the non-safe operator terminal the first code A is decrypted and executed (step 8). By executing the first code A the window is displayed to the operator (step 9). The operator now votes on whether the safety critical command fj(ek) is to be performed or aborted (step 10) and accordingly sends a confirmation or a rejection to the non-safe operator terminal (step 11) , e.g. by a one click operation on a "OK" or "abort" button. For one-click operator confirmation codes A and B are prepared in a manner, that unintended execution of the second code B is prevented (e.g. due to a malfunction of the non-safe operator terminal). Therefore, in case of a mouse operation the click-event is accepted only if the mouse moves only within the window of code A right before this click. This is supervised by the code A respectively code B. In case of touch screens equivalent defined gestures are used and supervised.
[0041] In case the operator confirms to perform the requested safety critical command fj(ek), the decrypted second code B is executed by the non-safe operator terminal (step 12) and TAN T will be transferred to the safe computer (step 13). A decryption of the second code B is carried out by the non-safe operator terminal prior or after the confirmation of the operator (not shown). The safe computer can finally vote on correctness of the received TAN (step 14) and execute the critical command in case of positive voting (step 15).
[0042] The safe operation according to the invention is still TAN based. But the involvement of the operator into that well-known TAN procedure can be reduced to a minimum: one-click confirmation.
[0043] The presented invention presumes a cryptographic infrastructure both on the non-safe operator terminal and on the safe system. The inventive safe operation via the non-safe operator terminal using cryptographic methods grants a minimized user interaction and built-in independence of incoming and outgoing information processing although using a single channeled non-safe operator terminal and a single channeled transmission, where "safe" is related to failure revelation.
[0044] With the inventive method a variety of failure modes can be detected and treated, some of which are described in the following:
In case of a significant delay or a suppression between steps 1 and 8, step 8 will be too late or not executed which is obviously revealed by the operator.
[0045] Any corruption or misrouting during step 1 and 2 (e.g. a modified command) is revealed by the operator by voting whether the displayed command should be executed or aborted (step 10).
[0046] An insertion of a transmission of a command (step 2) will also be revealed during step 9.
[0047] Any misrouting during the transmission of codes A, B (step 7) is revealed for the false receiver during decryption of code A (step 8), since no successful decryption is possible and during voting (step 9) due to suppression for the correct receiver side.
[0048] Any unintended execution of code A (at step 8) is revealed by the properties of code A (reflection of the critical command) during the voting (step 10).
[0049] Any unintended transmission of the TAN T (step 13) can be prevented by the properties of code B, in particular by the properties of the TAN T, that can be generated as OTP dedicated to the request "Perform fi (ek)" (step 4).
[0050] Any significant delay or suppression during the transmission of the TAN T (step 13) is revealed by missing or delayed reaction of the safe system within steps 14 and 15.
[0051] Any insertion or corruption or misrouting during the transmission of the TAN T (step 13) is revealed during the voting (step 14).
List of reference signs [0052]
A
first code B
second code T
TAN fi function θκ element fi(ek) safety critical command s status of the element
REFERENCES CITED IN THE DESCRIPTION
This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.
Patent documents cited in the description • DEf 02006029851A1 [00021 [0006] • DE4432419A1 [00041 • DE102010015285A1 [00051

Claims (11)

1. Fremgangsmåde til håndtering af en sikkerhedskritisk kommando (fi(ek)) i et computernetværk med en sikker computer og en ikke-sikker operatørterminal, hvor kommandoen vedrører en transaktion i et element (ek), hvilken fremgangsmåde omfatter: - overførsel af kommandoen (fi(ek)) fra den ikke-sikre operatørterminal til den sikre computer; - generering af en TAN (T), hvilken TAN (T) identificerer kommandoen; hvilken fremgangsmåde endvidere er kendetegnet ved - generering af en første eksekverbar kode (A) og en anden eksekverbar kode (B) via den sikre computer, hvor den anden kode (B) indeholder TAN'en (T), den første kode (A) kan vise en forespørgsel på en displayindretning af den ikke-sikre operatørterminal, og den anden kode (B) kan aktivere eksekvering af transaktionen; - kryptering af koderne (A, B) via den sikre computer; - overførsel af de krypterede koder (A, B) til den ikke-sikre operatørterminal; - dekryptering af koderne (A, B) via den ikke-sikre operatørterminal; - eksekvering af den første kode (A) i den ikke-sikre operatørterminal, hvor en forespørgsel vises for operatøren med en opfordring til at bekræfte, om den kritiske kommando skal eksekveres eller afbrydes; - i tilfælde af en bekræftelse fra operatøren eksekveres den anden kode (B), og TAN'en (T) overføres til den sikre computer.A method for handling a security-critical command (fi (ek)) in a computer network with a secure computer and a non-secure operator terminal, wherein the command relates to a transaction in an element (ek), the method comprising: - transmitting the command ( fi (ek)) from the non-secure operator terminal to the secure computer; - generating a TAN (T), which TAN (T) identifies the command; further characterized by - generating a first executable code (A) and a second executable code (B) via the secure computer, wherein the second code (B) contains the TAN (T), the first code (A) may display a query on a display device of the non-secure operator terminal and the second code (B) may enable the execution of the transaction; encrypting the codes (A, B) via the secure computer; - transferring the encrypted codes (A, B) to the non-secure operator terminal; - decrypting the codes (A, B) via the non-secure operator terminal; - executing the first code (A) in the non-secure operator terminal, where a query is displayed to the operator with a request to confirm whether the critical command is to be executed or interrupted; - in case of operator confirmation, the second code (B) is executed and the TAN (T) is transferred to the secure computer. 2. Fremgangsmåde ifølge krav 1, kendetegnet ved, at et vindue ved eksekvering af den første kode (A) vises på displayindretningen, hvor vinduet viser en refleksion af kommandoen og mindst to knapper til hhv. bekræftelse og afbrydelse af transaktionen.The method according to claim 1, characterized in that a window when executing the first code (A) is displayed on the display device, the window showing a reflection of the command and at least two buttons for respectively. confirmation and cancellation of the transaction. 3. Fremgangsmåde ifølge krav 2, kendetegnet ved, at vinduet endvidere viser informationer om statussen (s) over elementet (ek) og eller statussen over omgivelserne omkring elementet (ek), i hvilket transaktionen skal udføres.Method according to claim 2, characterized in that the window further shows information about the status (s) above the element (ek) and or the status over the surroundings of the element (ek) in which the transaction is to be carried out. 4. Fremgangsmåde ifølge et af de foregående krav, kendetegnet ved, at den anden kode (B) indeholder en tilbagekaldsfunktion for den første kode (A), hvilken tilbagekaldsfunktion overfører TAN'en (T).Method according to one of the preceding claims, characterized in that the second code (B) contains a callback function for the first code (A), which callback function transmits the TAN (T). 5. Fremgangsmåde ifølge et af de foregående krav, kendetegnet ved, at TAN'en (T) er udstyret med en tidsrestriktion.Method according to one of the preceding claims, characterized in that the TAN (T) is equipped with a time restriction. 6. Fremgangsmåde ifølge et af kravene 1 til 5, kendetegnet ved, at den første kode (A) og den anden kode (B) er inkorporeret i en programfil.Method according to one of claims 1 to 5, characterized in that the first code (A) and the second code (B) are incorporated into a program file. 7. Fremgangsmåde ifølge krav 1 til 5, kendetegnet ved, at den første kode (A) og den anden kode (B) er separate programfiler.Method according to claims 1 to 5, characterized in that the first code (A) and the second code (B) are separate program files. 8. Fremgangsmåde ifølge et af de foregående krav, kendetegnet ved, at operatørens bekræftelse udføres ved hjælp af en one-click-teknik.Method according to one of the preceding claims, characterized in that the operator's confirmation is performed by a one-click technique. 9. Fremgangsmåde ifølge et af de foregående krav, kendetegnet ved, at fremgangsmåden anvendes til transaktioner, der vedrører jernbanetransport eller andre styrede køretøjer.Method according to one of the preceding claims, characterized in that the method is used for transactions involving rail transport or other controlled vehicles. 10. Anvendelse af et computernetværkssystem, som omfatter midler, der er tilpasset til at implementere fremgangsmåden ifølge et af de foregående krav.Use of a computer network system comprising means adapted to implement the method of any of the preceding claims. 11. Anvendelse ifølge krav 10, kendetegnet ved, at der er tilvejebragt en sikker computer og en ikke-sikker operatørterminal til sikre funktionsprocedurer for et foruddefineret sikkerhedsintegritetsniveau, især for jernbanetransport, hvor den sikre computer og den ikke-sikre operatørterminal er forbundet med hinanden for at overføre beskeder, hvor den ikke- sikre operatørterminal omfatter en displayindretning og er sat op til at identificere en krypteret kode (A, B) for at dekryptere den krypterede kode (A, B) og til at vise en forespørgsel på displayindretningen, hvor den sikre computer opfylder den foruddefinerede sikkerhedskategori, og den ikke-sikre operatørterminal ikke opfylder den foruddefinerede sikkerhedskategori.Use according to claim 10, characterized in that a secure computer and a non-secure operator terminal are provided for safe operation procedures for a predefined level of safety integrity, especially for rail transport, where the secure computer and the non-secure operator terminal are connected to each other. transmitting messages where the non-secure operator terminal comprises a display device and is set up to identify an encrypted code (A, B) to decrypt the encrypted code (A, B) and to display a query on the display device where it secure computer meets the predefined security category and the non-secure operator terminal does not meet the predefined security category.
DK13194789.7T 2013-11-28 2013-11-28 Procedure for handling a security-critical command in a computer network DK2879008T3 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP13194789.7A EP2879008B1 (en) 2013-11-28 2013-11-28 Method for handling a safety critical command in a computer network

Publications (1)

Publication Number Publication Date
DK2879008T3 true DK2879008T3 (en) 2018-09-17

Family

ID=49919978

Family Applications (1)

Application Number Title Priority Date Filing Date
DK13194789.7T DK2879008T3 (en) 2013-11-28 2013-11-28 Procedure for handling a security-critical command in a computer network

Country Status (9)

Country Link
EP (1) EP2879008B1 (en)
AU (1) AU2014356749B2 (en)
DK (1) DK2879008T3 (en)
ES (1) ES2681822T3 (en)
IL (1) IL245664B (en)
PL (1) PL2879008T3 (en)
PT (1) PT2879008T (en)
SA (1) SA516371217B1 (en)
WO (1) WO2015078700A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3112964B1 (en) * 2015-07-01 2019-03-27 Abb Ag A method and system for safety-relevant input to a control system
HUE059058T3 (en) * 2018-04-06 2023-01-28 Thales Man & Services Deutschland Gmbh Train traffic control system and method for safe displaying a state indication of a route and train control system
EP3549841B1 (en) * 2018-04-06 2022-06-01 Thales Management & Services Deutschland GmbH Train traffic control system and method for carrying out safety critical operations within a train traffic control system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4432419C2 (en) * 1994-09-02 2003-04-24 Siemens Ag Procedure for handling commands requiring approval and device for carrying out the procedure
DE102005013194A1 (en) * 2005-03-16 2006-09-21 Siemens Ag Workstation system
DE102006029851A1 (en) 2006-06-27 2008-02-21 Deutsche Bahn Ag Security-relevant drive element manipulating method for nuclear power plant, involves determining whether both security-relevant and new dual inputs are matched and/or whether desired condition of drive element is occupied by element
EP2253524B1 (en) * 2009-05-19 2012-07-04 Siemens Schweiz AG Method and system for adjusting a route for rail-based traffic
DE102010015285A1 (en) * 2010-04-14 2011-10-20 Siemens Aktiengesellschaft Method and device for confirming a fail-safe state of a safety-critical system

Also Published As

Publication number Publication date
EP2879008B1 (en) 2018-07-04
ES2681822T3 (en) 2018-09-17
WO2015078700A1 (en) 2015-06-04
SA516371217B1 (en) 2020-10-29
EP2879008A1 (en) 2015-06-03
PT2879008T (en) 2018-10-29
PL2879008T3 (en) 2018-11-30
IL245664B (en) 2018-10-31
IL245664A0 (en) 2016-06-30
AU2014356749B2 (en) 2019-01-17
AU2014356749A1 (en) 2016-06-02

Similar Documents

Publication Publication Date Title
CN101901318B (en) Trusted hardware equipment and using method thereof
CN107094133B (en) Anonymous and temporary token for verifying elevator calls
CN108834144B (en) Method and system for managing association of operator number and account
US9135434B2 (en) System and method for third party creation of applications for mobile appliances
CN104881602B (en) Unmanned participation and the device authorization of safety
US10361867B2 (en) Verification of authenticity of a maintenance means connected to a controller of a passenger transportation/access device of a building and provision and obtainment of a license key for use therein
US20140052994A1 (en) Object Signing Within a Cloud-based Architecture
EP3439261A1 (en) Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle
US10404717B2 (en) Method and device for the protection of data integrity through an embedded system having a main processor core and a security hardware module
US10541819B2 (en) Forged command filtering system and related command authentication circuit
EP3429168A1 (en) Secure communication method and apparatus for vehicle, vehicle multimedia system, and vehicle
DK2879008T3 (en) Procedure for handling a security-critical command in a computer network
CN111431840B (en) Security processing method and device, computer equipment and readable storage medium
US11068579B2 (en) Method and system of performing an authorization mechanism between a service terminal system and a helpdesk system
EP3429158A1 (en) Secure communication method and apparatus for vehicle, vehicle multimedia system, and vehicle
CN103036681A (en) Password safety keyboard device and system
CN110278083A (en) ID authentication request treating method and apparatus, equipment replacement method and apparatus
US20060272004A1 (en) Granting an access to a computer-based object
CN107872794A (en) Channel connection control method and device
KR20140043537A (en) Secure communication apparatus and method for securing scada communication network
CN107924610B (en) Method and device for increasing safety during remote triggering, motor vehicle
CN110138737B (en) Authority control method, authority control equipment, user equipment and system
CN114465821B (en) Data transmission system and data transmission method
CN113169963B (en) Method for processing an application program in a distributed automation system
CN115146284A (en) Data processing method and device, electronic equipment and storage medium